feat(flag): add --cacert flag (#9781)

docs/docs/references/configuration/cli/trivy.md

@@ -29,6 +29,7 @@ trivy [global flags] command [flags] target
 ### Options
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_clean.md

@@ -35,6 +35,7 @@ trivy clean [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud.md

@@ -11,6 +11,7 @@ Control Trivy Cloud platform integration settings
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud_config.md

@@ -11,6 +11,7 @@ Control Trivy Cloud configuration
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud_config_edit.md

@@ -19,6 +19,7 @@ trivy cloud config edit [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud_config_get.md

@@ -28,6 +28,7 @@ trivy cloud config get [setting] [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud_config_list.md

@@ -19,6 +19,7 @@ trivy cloud config list [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud_config_set.md

@@ -28,6 +28,7 @@ trivy cloud config set [setting] [value] [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_cloud_config_unset.md

@@ -28,6 +28,7 @@ trivy cloud config unset [setting] [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_config.md

@@ -84,6 +84,7 @@ trivy config [flags] DIR
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_convert.md

@@ -58,6 +58,7 @@ trivy convert [flags] RESULT_JSON
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -178,6 +178,7 @@ trivy filesystem [flags] PATH
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_image.md

@@ -199,6 +199,7 @@ trivy image [flags] IMAGE_NAME
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -187,6 +187,7 @@ trivy kubernetes [flags] [CONTEXT]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_login.md

@@ -29,6 +29,7 @@ trivy login [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_logout.md

@@ -15,6 +15,7 @@ trivy logout [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_module.md

@@ -13,6 +13,7 @@ Manage modules
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_module_install.md

@@ -15,6 +15,7 @@ trivy module install [flags] REPOSITORY
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_module_uninstall.md

@@ -15,6 +15,7 @@ trivy module uninstall [flags] REPOSITORY
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin.md

@@ -11,6 +11,7 @@ Manage plugins
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_info.md

@@ -15,6 +15,7 @@ trivy plugin info PLUGIN_NAME
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_install.md

@@ -28,6 +28,7 @@ trivy plugin install NAME | URL | FILE_PATH
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_list.md

@@ -15,6 +15,7 @@ trivy plugin list
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_run.md

@@ -15,6 +15,7 @@ trivy plugin run NAME | URL | FILE_PATH
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_search.md

@@ -15,6 +15,7 @@ trivy plugin search [KEYWORD]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_uninstall.md

@@ -15,6 +15,7 @@ trivy plugin uninstall PLUGIN_NAME
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_update.md

@@ -15,6 +15,7 @@ trivy plugin update
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_plugin_upgrade.md

@@ -15,6 +15,7 @@ trivy plugin upgrade [PLUGIN_NAMES]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_registry.md

@@ -11,6 +11,7 @@ Manage registry authentication
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_registry_login.md

@@ -25,6 +25,7 @@ trivy registry login SERVER [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_registry_logout.md

@@ -22,6 +22,7 @@ trivy registry logout SERVER [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_repository.md

@@ -177,6 +177,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -179,6 +179,7 @@ trivy rootfs [flags] ROOTDIR
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -147,6 +147,7 @@ trivy sbom [flags] SBOM_PATH
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_server.md

@@ -45,6 +45,7 @@ trivy server [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_version.md

@@ -16,6 +16,7 @@ trivy version [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_vex.md

@@ -11,6 +11,7 @@
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_vex_repo.md

@@ -25,6 +25,7 @@ Manage VEX repositories
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_vex_repo_download.md

@@ -19,6 +19,7 @@ trivy vex repo download [REPO_NAMES] [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_vex_repo_init.md

@@ -15,6 +15,7 @@ trivy vex repo init [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_vex_repo_list.md

@@ -15,6 +15,7 @@ trivy vex repo list [flags]
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/cli/trivy_vm.md

@@ -163,6 +163,7 @@ trivy vm [flags] VM_IMAGE
 ### Options inherited from parent commands
 
 ```
+      --cacert string             Path to PEM-encoded CA certificate file
       --cache-dir string          cache directory (default "/path/to/cache")
   -c, --config string             config path (default "trivy.yaml")
   -d, --debug                     debug mode

docs/docs/references/configuration/config-file.md

@@ -9,6 +9,9 @@ These samples contain default values for flags.
 ## Global options
 
 ```yaml
+# Same as '--cacert'
+cacert: ""
+
 cache:
   # Same as '--cache-dir'
   dir: "/path/to/cache"

docs/docs/references/troubleshooting.md

@@ -78,15 +78,27 @@ Common mistakes include the following, depending on where you are pulling images
 $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
 ```
 
-On Unix systems other than macOS, you can specify the location of your certificate using `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables.
+If you need to trust a custom CA certificate, you can provide a PEM-encoded bundle.
 
-```
-$ SSL_CERT_FILE=/path/to/cert trivy image [YOUR_IMAGE]
-```
+=== "Unix (except macOS)"
 
-```
-$ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE]
-```
+    You can specify the location of your certificate using the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables.
+
+    ```bash
+    $ SSL_CERT_FILE=/path/to/ca.pem trivy image [YOUR_IMAGE]
+    ```
+
+    ```bash
+    $ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE]
+    ```
+
+=== "All systems"
+
+    Use the `--cacert` flag to point Trivy to a PEM-encoded CA certificate file, regardless of the operating system.
+
+    ```bash
+    $ trivy image --cacert /path/to/ca.pem [YOUR_IMAGE]
+    ```
 
 ### GitHub Rate limiting
 Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md).

pkg/commands/artifact/run.go

@@ -131,6 +131,7 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, targetKind TargetKi
 	// Set the default HTTP transport
 	xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{
 		Insecure:  cliOptions.Insecure,
+		CACerts:   cliOptions.CACerts,
 		Timeout:   cliOptions.Timeout,
 		TraceHTTP: cliOptions.TraceHTTP,
 	}))

pkg/commands/server/run.go

@@ -22,6 +22,7 @@ func Run(ctx context.Context, opts flag.Options) (err error) {
 	// Set the default HTTP transport
 	xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{
 		Insecure: opts.Insecure,
+		CACerts:  opts.CACerts,
 		Timeout:  opts.Timeout,
 	}))
 

pkg/fanal/image/registry/ecr/ecr.go

@@ -37,6 +37,7 @@ func getSession(domain, region string, option types.RegistryOptions) (aws.Config
 	// cf. https://github.com/aquasecurity/trivy/discussions/9429
 	client := awshttp.NewBuildableClient().WithTransportOptions(func(transport *http.Transport) {
 		transport.TLSClientConfig.InsecureSkipVerify = option.Insecure
+		transport.TLSClientConfig.RootCAs = option.CACerts
 	})
 	// create custom credential information if option is valid
 	if option.AWSSecretKey != "" && option.AWSAccessKey != "" && option.AWSRegion != "" {

pkg/fanal/types/image.go

@@ -1,6 +1,8 @@
 package types
 
 import (
+	"crypto/x509"
+
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 
@@ -87,6 +89,7 @@ type RegistryOptions struct {
 
 	// SSL/TLS
 	Insecure bool
+	CACerts  *x509.CertPool
 
 	// Architecture
 	Platform Platform

pkg/flag/global_flags.go

@@ -1,10 +1,12 @@
 package flag
 
 import (
+	"crypto/x509"
 	"os"
 	"time"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/cache"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -49,6 +51,12 @@ var (
 		Persistent:    true,
 		TelemetrySafe: true,
 	}
+	CACertFlag = Flag[string]{
+		Name:       "cacert",
+		ConfigName: "cacert",
+		Usage:      "Path to PEM-encoded CA certificate file",
+		Persistent: true,
+	}
 	TimeoutFlag = Flag[time.Duration]{
 		Name:          "timeout",
 		ConfigName:    "timeout",
@@ -87,6 +95,7 @@ type GlobalFlagGroup struct {
 	Quiet                 *Flag[bool]
 	Debug                 *Flag[bool]
 	Insecure              *Flag[bool]
+	CACert                *Flag[string]
 	Timeout               *Flag[time.Duration]
 	CacheDir              *Flag[string]
 	GenerateDefaultConfig *Flag[bool]
@@ -100,6 +109,7 @@ type GlobalOptions struct {
 	Quiet                 bool
 	Debug                 bool
 	Insecure              bool
+	CACerts               *x509.CertPool
 	Timeout               time.Duration
 	CacheDir              string
 	GenerateDefaultConfig bool
@@ -113,6 +123,7 @@ func NewGlobalFlagGroup() *GlobalFlagGroup {
 		Quiet:                 QuietFlag.Clone(),
 		Debug:                 DebugFlag.Clone(),
 		Insecure:              InsecureFlag.Clone(),
+		CACert:                CACertFlag.Clone(),
 		Timeout:               TimeoutFlag.Clone(),
 		CacheDir:              CacheDirFlag.Clone(),
 		GenerateDefaultConfig: GenerateDefaultConfigFlag.Clone(),
@@ -131,6 +142,7 @@ func (f *GlobalFlagGroup) Flags() []Flagger {
 		f.Quiet,
 		f.Debug,
 		f.Insecure,
+		f.CACert,
 		f.Timeout,
 		f.CacheDir,
 		f.GenerateDefaultConfig,
@@ -156,6 +168,10 @@ func (f *GlobalFlagGroup) Bind(cmd *cobra.Command) error {
 func (f *GlobalFlagGroup) ToOptions(opts *Options) error {
 	// Keep TRIVY_NON_SSL for backward compatibility
 	insecure := f.Insecure.Value() || os.Getenv("TRIVY_NON_SSL") != ""
+	caCerts, err := loadRootCAs(f.CACert.Value())
+	if err != nil {
+		return xerrors.Errorf("failed to load root CA certificates: %w", err)
+	}
 
 	log.Debug("Cache dir", log.String("dir", f.CacheDir.Value()))
 
@@ -165,6 +181,7 @@ func (f *GlobalFlagGroup) ToOptions(opts *Options) error {
 		Quiet:                 f.Quiet.Value(),
 		Debug:                 f.Debug.Value(),
 		Insecure:              insecure,
+		CACerts:               caCerts,
 		Timeout:               f.Timeout.Value(),
 		CacheDir:              f.CacheDir.Value(),
 		GenerateDefaultConfig: f.GenerateDefaultConfig.Value(),
@@ -172,3 +189,25 @@ func (f *GlobalFlagGroup) ToOptions(opts *Options) error {
 	}
 	return nil
 }
+
+// loadRootCAs builds a cert pool from the system pool and the provided PEM bundle.
+// Returns nil if caCertPath is empty or on failure.
+func loadRootCAs(caCertPath string) (*x509.CertPool, error) {
+	if caCertPath == "" {
+		return nil, nil
+	}
+
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil || rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	pem, err := os.ReadFile(caCertPath)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to read root CA certificate: %w", err)
+	}
+	if ok := rootCAs.AppendCertsFromPEM(pem); !ok {
+		return nil, xerrors.Errorf("failed to append CA bundle")
+	}
+	return rootCAs, nil
+}

pkg/flag/options.go

@@ -514,6 +514,7 @@ func (o *Options) RegistryOpts() ftypes.RegistryOptions {
 		Credentials:     o.Credentials,
 		RegistryToken:   o.RegistryToken,
 		Insecure:        o.Insecure,
+		CACerts:         o.CACerts,
 		Platform:        o.Platform,
 		AWSRegion:       o.AWSOptions.Region,
 		RegistryMirrors: o.RegistryMirrors,

pkg/x/http/transport.go

@@ -4,6 +4,7 @@ import (
 	"cmp"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -30,6 +31,7 @@ func WithTransport(ctx context.Context, tr http.RoundTripper) context.Context {
 type Options struct {
 	Insecure  bool
 	Timeout   time.Duration
+	CACerts   *x509.CertPool
 	UserAgent string
 	TraceHTTP bool
 }
@@ -68,10 +70,11 @@ func NewTransport(opts Options) http.RoundTripper {
 	}
 	tr.DialContext = d.DialContext
 
-	// Configure TLS
-	if opts.Insecure {
+	// Configure TLS only when needed.
+	if opts.CACerts != nil || opts.Insecure {
 		tr.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: opts.Insecure,
+			RootCAs:            opts.CACerts,
 		}
 	}